incident-response
Safeguard articles tagged "incident-response" — guides, analysis, and best practices for software supply chain and application security.
95 articles
Designing tamper-evident CloudTrail logging across an AWS organization
AWS CloudTrail's default event history holds only 90 days. A centralized, hash-validated org trail is what actually survives an incident or an audit.
Lessons from the CircleCI 2023 secrets breach
A stolen session cookie bypassed 2FA and let attackers read secrets from live memory. CircleCI's own timeline shows what fast rotation actually requires.
Ransomware defense strategy for engineering teams
Ransomware hit 44% of breaches in Verizon's 2025 DBIR, up from 32% a year prior. Here's the backup, access, and detection playbook that actually stops it.
Disaster recovery testing: a practical guide to tabletop, failover, and RTO/RPO drills
GitLab's 2017 outage revealed 5 backup mechanisms had silently failed for weeks — recovery took 18 hours because no one had ever test-restored one.
Disaster recovery testing methodologies compared
DR plans fail when they're never really tested. Here's how tabletop, simulation, parallel, and full interruption tests differ — and when each is worth the risk.
A patching playbook for critical open-source CVEs
Heartbleed, the OpenSSL punycode bug, and XZ Utils each broke a different assumption in incident response. Here's an SLA-driven playbook that survives all three.
Reverse shell attack mechanics and detection
Reverse shells flip the direction of the connection so outbound firewall rules never fire — here is how they work and the signals that catch them anyway.
Incident response playbook for a compromised dependency or CI action
23,000+ repos leaked secrets when tj-actions was hijacked in March 2025. Here's the revoke, rotate, and audit playbook for when it's your turn.
Anatomy of a Software Supply-Chain Worm: A Post-Mortem Framework
500+ npm packages backdoored in days, then 796 more two months later. A repeatable post-mortem framework for self-propagating open-source worms.
Credential rotation playbook after npm worm exposure
A step-by-step rotation runbook for security teams exposed to the Shai-Hulud npm worm — what to revoke first, how to verify a credential is dead, and how to prevent a repeat.
The npm worm incident response playbook
Shai-Hulud compromised 500+ npm packages by auto-publishing itself with stolen tokens. Here's a concrete detection, rotation, and pinning playbook.
Chaos engineering for security resilience testing
A one-hour Cloudflare R2 outage in March 2025 traced back to a mistyped deploy flag during credential rotation — exactly the failure a security chaos experiment is built to catch first.